🛡️Wallet Security

Validator permission grants

Validator permission grants

To enhance security and eliminate the need to store the validator wallet private keys on the server, an intermediate address can be used. This intermediate address is granted the necessary permissions to withdraw rewards and commissions, as well as to vote on behalf of the validator. Below is a detailed description of the process and an explanation of all parameters and commands involved:

Description

The objective is to delegate specific operational tasks of a validator to a grantee (intermediate address) by granting them necessary permissions. This setup ensures that the validator's private keys are not stored on the server, thereby improving security. The grantee will be authorized to:

1. Withdraw delegator rewards.

2. Withdraw validator commissions and rewards.

3. Vote on governance proposals.

Parameters

BINARY=<binary>

Path to the binary executable of the daemon (e.g., $HOME/go/bin/dymd).

GRANTEE_ADDRESS=<your address>

Address of the grantee (intermediate address) which will receive the permissions.

WITHDRAW_ADDRESS=<destination address>

Address to which rewards and commissions will be withdrawn.

VALIDATOR_ADDRESS=<your address>

The validator's wallet address.

VALOPER=<your valoper>

Validator operator address.

FEES=<fees>

Transaction fee (e.g., 5000000000000000adym).

GAS=<gas>

Gas limit for transactions (e.g., 350000).

PASS=<your password>

Password for keyring access and sending transactions.

To grant the necessary permissions, the validator's wallet must be present in the keyring (key storage). Also grantee`s wallet must be added to the keyring and a small amount of coins should be sent to it to cover the gas fees for future authorized transactions. After the permissions have been granted, the validator's wallet can be safely removed from the server. This ensures that the validator's private keys are no longer stored on the server, enhancing the overall security of the system.

Commands

1. Set Withdraw Address

   yes $PASS | $BINARY tx distribution set-withdraw-addr $WITHDRAW_ADDRESS --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y

   • Sets the address where rewards will be withdrawn.

2. Grant Authorization to Grantee

   • Grant permission to withdraw delegator rewards:

     yes $PASS | $BINARY tx authz grant $GRANTEE_ADDRESS generic --msg-type /cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y
   • Grant permission to withdraw validator commissions:

     yes $PASS | $BINARY tx authz grant $GRANTEE_ADDRESS generic --msg-type /cosmos.distribution.v1beta1.MsgWithdrawValidatorCommission --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y
   • Grant permission to vote on governance proposals:

     yes $PASS | $BINARY tx authz grant $GRANTEE_ADDRESS generic --msg-type=/cosmos.gov.v1.MsgVote --from $VALIDATOR_ADDRESS --fees $FEES --gas $GAS -y

   Now we can safely delete our Validator Wallet from this server. VALIDATOR_ADDRESS

3. Execute Authorized Transactions

   • Withdraw validator commission and rewards:

     yes $PASS | $BINARY tx authz exec <($BINARY tx distribution withdraw-rewards $VALOPER --commission --from $VALIDATOR_ADDRESS --generate-only) --from $GRANTEE_ADDRESS --fees $FEES --gas $GAS -y

     • Executes the withdrawal of validator commission and rewards using the granted authorization.

   • Vote on a governance proposal:

     yes $PASS | $BINARY tx authz exec <($BINARY tx gov vote $PROPOSAL_ID $VOTE_OPTION --from $VALIDATOR_ADDRESS --generate-only) --from $GRANTEE_ADDRESS --fees $FEES --gas $GAS -y

     • Executes a governance vote using the granted authorization. Ensure to replace $PROPOSAL_ID with the proposal ID and $VOTE_OPTION with the vote option.